It is common for enterprises to monitor out-going network web traffic. Such out-going web connections are ideally largely enterprise-related (for example, communications with customers, affiliates, and partner sites), in support of system operations, or required by employees to perform corresponding job duties. In practice, however, a myriad of diverse activities are conducted within an enterprise over the hypertext transfer protocol (HTTP). A portion of such activities are commonly associated with benign user activities, such as web browsing and social media use, but it has also become increasingly common for malware and attackers to conduct suspect activities over HTTP in an attempt to blend into network activity and evade detection. Examples of such malicious communications can include malware contacting the remote attacker to provide stolen information from infected hosts, transferring status updates, and obtaining commands for execution.
In existing detection approaches, detecting malicious communications relies heavily on the use of signatures, wherein a signature specifies the exact domain name or internet protocol (IP) address to which known undesirable traffic is destined. Such approaches, however, are only applicable to known malware or attacks, and moreover, such approaches require considerable manual work, for example, to reverse malware binaries and identify the command-and-control server. Accordingly, a need exists for techniques to detect potentially malicious communications and the host responsible by examining the external destinations contacted from within an enterprise network.